Banning a WordPress Spammer With .htaccess

Uugh. I’ve got this problem comment spammer. Today alone he posted over 1,000 comment spams on my blog. You can imagine how I felt about that. Did I mention I am a Marine (Semper Fi)! So, even though Akismet was doing it’s job, I was about ready to kill someone because I have to search through marked messages to take out the false positives.

Luckily some time ago I discovered a silver bullet for dealing with Akismet spam in the form of the Auntie Spam Greasemonkey script for the FireFox browser (Lorelle also just mentioned it). This script is invaluable because it adds two important spam fighting features:

It groups all of the spams posted by the same spammer together and gives a total count on just one line.

It gives the IP address that the spams are originating from.

Now, in the case of my spammer, even though they were spamming different URLs, they all came from the same IP. Since Auntie Spam made it so easy to see this, all I needed to do was ban that IP address.

As Lorelle previously mentioned, one way to do this is by adding that IP address to the OPTIONS > DISCUSSION tab under Comment’s Blacklist. Unfortunatly, this didn’t work for me, so I took the more drastic step of banning that sucker from my entire blog using the .htaccess file.

I thought this method could use a little more detail because it’s pretty drastic, so here’s specifically how to do it. (By the way, this requires the stand-alone WordPress, not WordPress.com).

Your WordPress install most likely has a document in the root directory ( most often named public_html, httpdocs, or webdocs) called .htaccess. (Here is more about what an .htaccess file really is.) You need to download a copy of that .htaccess file to your local computer via FTP in order to edit it.

When you open the .htaccess file, and if you are using Permalinks, it will likely have the following content:

If you don’t have a .htaccess file, simply create a blank document by that name, and follow the remaining steps.

In order to block a certain IP Address from access to your site you can add the following to the end of the .htaccess file in your web server document root directory:

## USER IP BANNING
<Limit GET POST>
order allow,deny
deny from 200.49.176.139
allow from all
</Limit>

There is also a nifty little .htaccess IP Banning Generator here to create the code for you. (Incidently, it will also help you ban specific site referrers and disable hotlinking to your images and media.)

Now, you can continue to add more “deny from x.x.x.x” lines for all of the IP addresses you want to ban. But I would advise that you keep the list short. Also, remember that spammers tend to move around a lot, so this technique is best utilized for short periods of time. And generally, most spambots will remove a site from their list once they realize they can no longer get through to it, so you can probably remove the ban in a couple of weeks.

If you forget to remove the ban and the IP is recycled to a legitimate user by the ISP you will be blocking an innocent user from your content.

Two quick but important details:

Use an HTML editor to edit the .htaccess file. Some plain text editors will actually save it in a format that will screw it up.

BACKUP THE ORIGINAL before you overwrite it! If you don’t and you accidentally screw it up you might have to start all over with a blank .htaccess file and then update your Permalinks again.

Now… if we could just get Akismet to cut down on the false positives I’d really be pleased.

70 Trackbacks/Pingbacks

[…] your blog posts. Anyway, in order to stop WordPress comment spammers using the method mentioned in Banning a WordPress Spammer With .htaccess, even if you don’t have a .htaccess file in your root directory, create one using Notepad or […]

[…] area. This file called .htaccess should be uploaded in the wp-admin folder. I direct you to Lorelle’s post about .htaccess for more details (attention, in the case of Lorelle the .htaccess file is done to ban from the […]

[…] 如果你想要阻止指定IP的访问，来防止其垃圾评论，那么你可以创建自己的Backlist黑名单。(替换xx.xx.xx.xx为指定的IP地址) <Limit GET POST> order allow,deny deny from xx.xx.xx.xx allow from all </Limit> 参考：The easiest way to ban a WordPress spammer […]

[…] Replace xxx.xx.xxx.xxx with the IP address of the spammer. If you do some bit of searching in the internet then you can find lists of IP addresses of the frequent spammers in the cyber world. Learn more about this The easiest way to protect your blog from spammers. […]

[…] 如果你想要阻止指定IP的访问，来防止其垃圾评论，那么你可以创建自己的Backlist黑名单。(替换xx.xx.xx.xx为指定的IP地址) <Limit GET POST> order allow,deny deny from xx.xx.xx.xx allow from all </Limit> 参考：The easiest way to ban a WordPress spammer […]